SecureWorks Snort Plug-in Pack

Author(s)
Ben Feinstein

Latest Version
0.1.0

Description

The SecureWorks Snort Plug-in Pack is a collection of dynamic preprocessor plug-ins for the Snort intrusion detection and prevention system.

This release includes two separate dynamic preprocessors.

ActiveX Control Detection Preprocessor
Detects browser scripting-based instantiations of blacklisted ActiveX controls. Looks for ActiveX control instantiations in traffic from web servers on the specified port(s). Reads in its list of "bad" ActiveX control CLSIDs and ProgIDs from a local XML database at module load.
SSH Weak Diffie-Hellman Group Key Exchange Detection Preprocessor
Detects SSH servers and clients that are using a broken Debian OpenSSL predictable PRNG (CVE-2008-0166). Looks at SSH2 Diffie-Hellman Group Key Exchange (SSH2 KEXDH GEX) messages during SSH session setup. Attempts to brute-force the Diffie-Hellman (DH) random numbers generated by client and server and used by them to agree on the DH GEX shared secret. Uses a list of predictable random numbers that are generated by OpenSSH when using the broken Debian OpenSSL PRNG, read in from a local file.
Supported Versions of Snort
These plug-ins have been developed against the most recent stable release of Snort at this time (6 Aug 2008), Snort v2.8.2.2. Other versions of Snort may or may not work properly with these plug-ins.
No Support, No Warranty
SecureWorks cannot provide support for these tools, but feedback is appreciated.

License Agreement

This program is free software subject to the terms of the GNU General Public License.  You can use, copy, redistribute and/or modify the program under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. You should have received a copy of the GNU General Public License along with this program.  If not, please see http://www.gnu.org/licenses/ for a copy of the GNU General Public License.

The program is subject to a disclaimer of warranty and a limitation of liability, as disclosed below.

Disclaimer of Warranty.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR, CORRECTION OR RECOVERY FROM DATA LOSS OR DATA ERRORS.

Limitation of Liability.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.

END OF TERMS AND CONDITIONS

Agree and Download Snort Plugin Pack - File
Agree and Download Snort Plugin Pack - MD5 Sum | Zipped for IE Users
Agree and Download Snort Plugin Pack - GPG Signature | Zipped for IE Users

SecureWorks Snort Plug-in Pack

Online Tools

Next Steps

Next Steps
	Request More Information Now
	Call Us Today 877-905-6661